Security

How we protect your audio, your transcripts, and your payments.

Audio handling

  • All uploads happen over TLS.
  • Files are stored only on the processing server's temporary disk for the duration of brief generation, typically seconds.
  • Filenames are randomised before storage. Original filenames are never logged.
  • Files are deleted as soon as Whisper returns the transcript.
  • A nightly cleanup process removes any temporary file older than two hours, as a safety net.

Transcripts and briefs

  • Transcripts live in process memory only, never written to disk, never logged.
  • Briefs are dropped from memory after delivery.
  • Generated export files (PDF, DOCX, TXT) are deleted after 2 hours.

Payments

  • Card details are handled exclusively by Paystack. Trootone never sees them.
  • Every payment reference is verified server-side against Paystack's API before any brief is generated.
  • Used references are recorded to prevent replay attacks.
  • Payment logs are kept for accounting only.

Magic-link tokens

  • Multi-brief packs use signed JWTs as the only key to your remaining briefs.
  • Tokens are bound to your email address and tier and signed with a server-side secret.
  • If you lose your magic link, contact us. We can re-issue it after verifying your payment.

Free-tier abuse prevention

  • One free brief per email, per device, per IP, verified by code emailed to you.
  • Disposable email providers are blocked.
  • Bot protection by Cloudflare Turnstile.

Reporting a vulnerability

Trootone is a small team that takes security seriously. If you discover a vulnerability in our platform, we would rather hear from you directly than find out another way.

If you find a security issue, please email hello@trootone.com with the following information. A description of the vulnerability and where you found it. The steps needed to reproduce it. The potential impact as you see it. Your contact details if you are happy for us to follow up.

We will acknowledge your report within 48 hours. We will investigate every valid report and work to resolve confirmed issues as quickly as possible. We ask that you give us reasonable time to address the issue before any public disclosure, and that you do not access, modify, or delete any data that does not belong to you during your research.

We do not currently operate a paid bug bounty programme but we will acknowledge your contribution publicly if you would like that, and we are genuinely grateful for responsible disclosures that help us build a more secure product.